Hi All,

We have a topo with 3x IPA servers + freeradius.

Freeradius is being used to do mschap with wifi APs. Freeradius connects
over ldap to IPA.

In order to do the challange-response thing, freeipa has AllowNTHash

So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.

In the moment I disallow Password auth for a user and enable OTP the wifi
auth stopps working, but the hash clearly stays in ldap.

The goal is to stay with password on freeradius but for everything else:
kerberos/sssd related use password+code.

How can I disable password login for user but still make freeradius work
with ldap, so when it asks for users hash it gets one.

Freeradius ldap mod snippet:
"base_dn = "cn=users,cn=accounts,dc=cs,dc=com""

Thank You

Best regards

Maciej Drobniuch
Network Security Engineer
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to